Apt Transparency

Speaker: Simon Josefsson

Track: MiniDebConf Berlin 2024

Type: Short Talk

Room: c-base

Time: May 19 (Sun): 10:30

Duration: 0:20

How to improve security of apt repositories with transparency techniques. I will describe attack threat models we should protect against that the apt ecosystem currently do not have any defense against. This goes beyond the current PGP/GnuPG-based trust system. I propose we need a mechanism inspired by WebPKI’s Certificate Transparency, and that we consider existing technologies such as HTTPS canary files, Sigstore’s public transparency log, Sigsum’s public transparency log, and Filippo Valsorda’s spicy signatures. I will talk about interactions with reproducible builds to increase safety of package upgrades.